Page MenuHomeVyOS Platform
Create Task
Maniphest T1808

add package nftables
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

vyos doesn't have nft command.
It can be interesting if you want to create your own rules with nft instead of old iptables suite.

Thanks.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

elbuit created this task.Nov 16 2019, 5:18 PM
c-po added a subscriber: c-po.EditedNov 16 2019, 6:42 PM

I guess we will make use of nftables when the firewall codebase is rewritten. That rewrite is a major effort and on the roadmap - but it does not have momentum/priority yet due to limited resources.

Would like to contribute?

syncer triaged this task as Wishlist priority.Nov 16 2019, 9:57 PM
elbuit added a comment.Nov 16 2019, 10:55 PM

wow christian, to move from iptables to nftables is not a small project.
As far I remember vyos has a quite complex iptables chains.
Bu in fact, I'm quite disconnected from vyos.

I would like to help if I had some free time, but something small.

Viacheslav added a subscriber: Viacheslav.Jan 11 2020, 11:58 AM

@elbuit
Rolling is support nft now.

vyos@mpls:~$ sudo nft -v
nftables v0.9.0 (Fearless Fosdick)

There are examples and descriptions that you would like to see in the system?

elbuit added a comment.Jan 11 2020, 8:00 PM

Thanks @Viacheslav, I've build a custom vyos 1.2.4 with nftables package because I want to add custom rules in nftables mode.

Rolling uses a iptables - nftables wrapper that converts iptables to nft, but I think that firewall needs to be rewritten from zero, and clean it. There are other sections that depends on iptables (ie: flow accounting, connection tracking,..)

The think I like of nftables is "compiled" before be applied, and if "compilation" fails ruleset won't be applied ( That is quite similar to FreeBSD pf)
For that, to convert all vyos rules to a nft file and then compile and apply it could be an acceptable implementation, even if you only add a single rule.

If compilation works it applies new ruleset, if not, previous ruleset is maintained.

That implementation is not as complicated as we have now in current vyos, and most of it could be done with a jinja2 template.

Viacheslav added a comment.Jan 12 2020, 10:25 AM

@elbuit

vyos@mpls# sudo nft list table nat
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
		counter packets 0 bytes 0 jump VYATTA_PRE_DNAT_HOOK
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
		counter packets 0 bytes 0 jump VYATTA_PRE_SNAT_HOOK
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain VYATTA_PRE_DNAT_HOOK {
		counter packets 0 bytes 0 return
	}

	chain VYATTA_PRE_SNAT_HOOK {
		counter packets 0 bytes 0 return
	}
}
[edit]
vyos@mpls#

Let us know if you need help.

pasik added a subscriber: pasik.May 19 2020, 8:05 PM
c-po added a comment.Jun 25 2020, 6:21 PM

Latest rolling has nftables 0.9.6 - closing this

c-po closed this task as Resolved.Jun 25 2020, 6:21 PM
c-po claimed this task.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 3 2020, 3:27 PM
erkin set Issue type to Feature (new functionality).Aug 31 2021, 6:17 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.